Notices by Strypey (strypey@mastodon.nzoss.nz), page 112

@lain sorry to be pedantic, but I know the devil's in the details with protocol stuff, and I want to make sure I really understand what I'm being told here.
@alice

@lain so, there is a mechanism for DMs in vanilla AP, it's just not called "DM" or conceptualized from a user POV. The 'unlisted' and 'followers-only' concepts are not part of AP. Correct?
@alice

@z428 there are various ways to address this. OWS doesn't let clients older than 3 months connect to their servers. A secure chat federation protocol could include refusing to connect to another server that hasn't been updated for more than 3 months. There are all sorts of systems you can use to ensure security across a federated network (ask Mike from #Hubzilla / #Osada / #Zap about it). The only main problem with XMPP is that until recently security wasn't a design goal, but now #OMEMO exists.

@dgold there's also this piece, which was written in the wake of the infamous #LibreSignal debate:
https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/

@dgold cool, thanks. I'll have a read. I'm no expert on US law. But putting on my #TinFoilHat, say Signal was a #HoneyPot. Wouldn't there be mechanisms to prevent the courts from exposing that? Who actually checks Signal's servers on behalf of the government and reports what's there (and not there) to the courts?

@dgold take a chill pill bro. I've spent most of the day explaining this to multiple people. You could try doing the reading:
https://mastodon.nzoss.nz/@strypey/101368165804910431

I refer to Drew's blog piece because it sums up a lot of the issues in one place:
https://drewdevault.com/2018/08/08/Signal.html

If you use untrustworthy software for secret squirrel comms, you will get yourself and/or others arresteted (or worse). I'd rather than didn't happen, but ... whatever.

@ebel @dgold
> are warrant canaries actually useful?

Yes. Very useful.

> I always presumed "you can't tell anyone you got this" would cover "removing a notice"

That's not how a #WarrantCanary works. The whole point is you only change the notice if nothing shady has happened. Otherwise you don't change it on schedule, and a warning is automatically there. You can't make a law against not changing a notice, only issuing one (at least under current law).

@z428
> We also should accept he doesn't only have dumb or shady reasons for his point of view.

Why? The reasons he gives when challenged on this stuff are dumb and/or shady.

@gentoorebel

@colomar this is why a lot of people who care about #SoftwareFreedom don't trust OWS and Signal, and neither do I. @sir explains here:
https://drewdevault.com/2018/08/08/Signal.html
@stevenroose

@colomar funny that. Wanting to build the client from source, rather than accept a binary from the devs, is precisely why Moxie won't let the Signal app be added to F-Droid. He actually does demands users install his binaries from the Play store, or the APK from the Signal site. He demands that people don't use clients they've compiled themselves to connect to OWS servers. He gives all sorts of disingenuous defences for this that don't stack up.
https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165
@stevenroose

@KekunPlazas will #Fractal support voice/ video or just text chat?
@bob @alcinnz @aral

@noorul what's your use case? Who are you trying to chat with? Text or voice/ video? One-to-one or group? How sensitive are the chats likely to be? What kinds of adversaries do you want to be secure against? In my experience it's best to use a non-secure app, and choose what to say on that basis, than to speak freely using an app you think is secure when it really isn't.

FYI I've got various lists of #FreeCode chat apps here:
https://www.coactivate.org/projects/disintermedia/core-us
https://www.coactivate.org/projects/disintermedia/slacking-off

@bikecurious hmm. I clearly need to do some reading up on WebRTC and SIP. Thanks for the overview.
@gentoorebel @finn @clacke

@Antanicus my position on that is some from column A, some from column B. Some developers don't play well with others, and simply do better work in the BDFL model. Others do well in consensus-based teams like #Loomio. I don't see any need to impose external control on how developer-workers organize themselves. But there's a difference between core development and *deployment*, especially when deploying server-based software as online services. That's where #PlatformCooperatives shine.
@bhaugen

@Antanicus THIS! 1000 times this! Cooperatives are a kind of anticapitalist aikido. They *both* help us improve our lives in the here and now, *and* prefigure post-capitalist democratic economies (at least in a larval way), all while posing as business-as-usual in a way that's hard to justify attacking (openly).
@bhaugen

@dredmorbius right, which is why recommending thing that AFAIK reduce your security seems odd. I mean, it does depend on your threat model, but exposing oneself to more Apple/ Google than you have to (and thus the US government), opens up a pretty large attack surface for few different kinds of adversaries.

@kawaiipunk
> Signal is the best of a bad situation.

I'm still not sure why you think that.

> All of these criticisms of Signal are addressed by XMPP and OMEMO?

Many of the more urgent ones are already addressed by Wire. Another set will be when Wire rolls out server>server federation. If we can get them to use #OpenStandards like #XMPP and #OMEMO, that would address another set.
@gentoorebel @noorul

@kawaiipunk there are two separate problems here, that need separate solutions. A chat app simple enough to

> communicate securely with my friends and family who aren't hackers

... will have to make so many trade-offs for user convenience it won't be suitable for sensitive comms . Signal makes these trade-offs, while still claiming to be useful to activists, journalists, dissidents against unfriendly governments etc. As Drew says, this is horrifically irresponsible.
@bob @gentoorebel @noorul

@z428 the freedom and openess we're after is fundamentally the ability to create systems of transparency and accountability at all (eg code audits, protocol testing, cryptographic proofs, reproducible builds etc). We can argue about what exactly those systems should be, but I don't accept the argument that "trust Moxie" is sufficient substitute for any such system.
@gentoorebel